Roman Polanski Arrest Spawns Headline-Hooking Rogues

By Andrew Brandt and Brenden Vaughan

As we’ve seen for the past several months, a celebrity ended up the top news story, which started a cascade of malware distributors racing to get their driveby pages to the top of search results. Today’s victim/subject is Roman Polanski, the renowned film director arrested on decades old charges of statutory rape. This kind of gossipy, tabloid headline is like candy for rogue antivirus distributors.

We began our search the minute we found out the news, and yes, within about half an hour of the story breaking, the pages began appearing in the search results on various engines. While some of the malicious pages were linked to search terms based on the name of the director, many also reference his victim, Samantha Geimer. The results redirect you into a fake virus scan page, which in turn leads you to a download of Windows PC Defender, a known rogue in the same vein as Antivirus 2010 and the other scam fantivirus tools so popular among Web criminals this year. Trojan-IM.Win32.Faker, indeed.

Not only does this rogue pretend to be an anti-malware tool, but it throws a monkey wrench into almost any existing protection, adding Image File Execution Options registry keys that prevent nearly all legitimate free and commercial antimalware tools from running. It also drops a Hosts file which prevents infected computers from contacting 12 payment processing domains associated with Antivirus 2010, and redirects all Google (including nearly 200 international Google domains), Yahoo, MSN, and Bing search results through a server belonging to search-gala.com, whose IP address is geolocated to an ISP in Brampton, Ontario, Canada (go Timberwolves!).

Not content to be a single-solution product, Windows PC Defender is a full faux-suite, offering completely fictitious desktop firewall results as well as antivirus. The rogue uses a modified copy of a free tool called Multi Password Recovery to extract your Windows license and display it in the firewall “alert,” presumably to raise the anxiety level of person who sees the “warning” message. The warning claims that “your computer is making an unauthorized personal data transfer” to an IP address assigned to NASA, which is currently not in use. Because everyone knows NASA wants your Windows license key, for, you know, space missions. amirite? Could an imaginary anti-phishing toolbar be around the corner? Who knows what’s next for these enterprising, though predictable, con artists.

Not to be outdone, distributors of black market drugs began using Twitter to spread ads as well, with an under-140-character tagline promising juicy Polanski-arrest news. We’ll keep an eye on the situation, but it’s probably best to steer clear of links to unfamiliar sites, especially those promising revealing or “previously undisclosed” pictures, movies, or other such nonsense.